SaaS 


Objectives 


*Explain what SaaS is and how it’s used today 
* DISCUSS security risks Surrounding SaaS 


e Understand that organizations must learn to accept that 
using SaaS in some capacity Is inevitable 


What is SaaS 


e SaaS is Software as a Service 


*Many organizations use this model to provide services 
that they can’t provide themselves 


e Eliminates the need to run hardware, software on 
premise 


e Third party runs software on their infrastructure 


Can be a hybrid model where some hardware and 
software is on premise, but communicates with the 
cloud 


SaaS Examples 


°G-Suite 
«Office 365 
e DropBox 

e Salesforce 
e Slack 

e Docusign 
e WebEx 


SaaS Applications 


«Organizations may use SaaS because of: 
e Lower TOC 
e Lack of or inexperienced staff 
e Lack of technical resources such as a data center 
* Deployment timeline 


e Lack of knowledge of what can be accomplished with existing 
tools 


SaaS Risks - Data 


e Data 
e Provider could sell data 
e Provider could lose data 
e Provider could breach data 
e IS in more than one place 
e Restrictions based off compliance - ITAR, FISMA 
e How is your data secured 


SaaS Risks - Instability/Flawed 
pusiness model 


e Updates without notice 

e Feature removal 

e Flawed architecture 

e Outages 

e Competition forces company to go out of business 


SaaS Risks - Provider Security 


e Does the provider perform audits 


els the provider transparent about security vulnerabilities 
and remediation 


e Does the provider use secure protocols 


* What have been the results of the providers last 
compliance check 


e Do they have incident response procedures 


SaaS Risks - Organizational Risk 


eUnfamiliar or restrictive terms of use 
e Long term contract locks in organization 
e Shadow IT 


* Paying for similar technology that the company already 
sanctions 


SaaS is inevitable 


e University sanctioned SaaS 
e Office 365 
e Blackboard 
e Canvas 
e LastPass 
e WebEx 


e University unsanctioned SaaS 
e Slack 
* DropBox 
e Gmail 
e Carbonite 
e CrashPlan 
* Many more... 


SaaS response 


e Understanding where SaaS is, is important 

e Understand that you cannot control everything 

e Meet your stakeholders in the middle 

e Understand the needs of others in the organization 


els the use of unsanctioned SaaS because of: 
e Lack of awareness 
e Lack of features 
e Inadequate functionality 


